Social network aggregator no crook for violating Facebook TOS

Facebook is miffed at Power.com for enabling Facebook users to access the site …

Those of you who rarely if ever read the Terms of Service on social networking websites can breathe a temporary sigh of relief. With help from the Electronic Frontier Foundation, a Northern California US District Judge has dismissed Facebook's lawsuit against Power.com—at least for now. The court was not convinced by Facebook's claim that Power.com's unwanted efforts to integrate Facebook into its network of social networks constituted a violation of California's criminal code.

Reading though his opinion, one senses that Judge James Ware appreciated the gravity of this issue. "In the modern context, in which millions of average internet users access websites every day without ever reading, much less understanding, those websites' terms of use, this is far from an easy or straightforward question," Ware wrote.

But he also warned that if Facebook could prove that Power.com tried to circumvent Facebook's attempts to block its efforts, that would be a different matter.

Still, all in all, "good news," says EFF's Marcia Hoffman, who filed an amicus brief in the case. "Another federal judge has ruled that violating a website terms of service is not a crime."

Perhaps the most famous decision of this sort came out of the trial of Lori Drew. In that instance a judge determined that Drew's construction of a phony MySpace identity may have violated that site's terms of service, but it didn't run afoul of the anti-hacker Computer Fraud and Abuse Act.

Let's take a look at Facebook vs. Power.com.

Security measures

"All your friends in just one place," is Power.com's slogan. The firm offers one-stop login/password networking to Twitter, Linked-In, Orkut, and HI-5. But Power.com lost a friend in Facebook pretty fast when it tried to add the network to its service list.

"Power.com's access of Facebook's website and servers was unauthorized and violated Facebook’s rights," Facebook's complaint insisted, "including Facebook's trademark, copyrights, and business expectations with its users."

Nonsense, Power.com pushed back, and has gone so far as to sue Facebook for violation of the Sherman Anti-Trust Act.

"One example of Facebook improperly restricting their users' ownership and control of their own data is Facebook's purported 'security measure' of prohibiting users from providing their own username and password to third parties, such as Power," the company complained. "But this is not a 'security measure' at all. The entry of usernames and passwords to access a website through a third-party site poses no threat to security. On the contrary, it is commonplace in the industry."

To this Facebook responded that however Power.com sees the situation, Facebook did not give the company a green light to recruit all those Facebook users.

Facebook's Terms of Service make this clear, its attorneys argued. The social network's users may not "collect users' content or information, or otherwise access Facebook, using automated means (such as harvesting bots, robots, spiders, or scrapers) without [Facebook's] permission."

Guilty, but of what?

Judge Ware agreed with Facebook about the permission question in the context of Facebook's TOS language. But he found far less convincing Facebook's claim that this violation of its terms somehow ran afoul of Section 502 of California's Penal Code.

Section 502 makes a miscreant "guilty of a public offense" if he or she "knowingly accesses and without permission takes, copies, or makes use of any data from a computer, computer system, or computer network, or takes or copies any supporting documentation, whether existing or residing internal or external to a computer, computer system, or computer network," or "knowingly and without permission uses or causes to be used computer services."

These and other forms of mischief described in the legislation are punishable by fines as high as $10,000 and jail or prison sentences as long as 16 months. Companies that feel that this law has been broken at their expense may also invoke it in a civil suit.

But Ware worried that applying Section 502 to this case would essentially allow the owner of a website or Web-based service to classify as criminals consumers who used their site in ways that they didn't like.

The judge was obviously influenced by EFF's amicus logic. "Merely providing a tool to assist an authorized user in accessing his or her own data in a novel manner cannot and should not form the basis for criminal liability," EFF warned.

When California lawmakers enacted the law, Ware wondered, did they really intend it to apply to Power.com's behavior towards Facebook?

"It is far from clear what conduct the legislature believed posed a threat to the integrity of computers and computer systems, or if the legislature could even fathom the shape that those threats would take more than twenty years after the statute was first enacted," he wrote.

And so Ware found that the "without permission" phrases in Section 502 simply did not apply to this case.

Nothing inherently wrong

But, the court added, if Facebook can prove that Power.com deliberately tried to circumvent some of Facebook's technical barriers, such as the social network's attempts at barring its IP addresses, that could constitute a violation of the California law. "There can be no ambiguity or mistake as to whether access has been authorized when one encounters a technical block," Ware warned.

In fact, all that Power.com did was change its IP addresses, but for now EFF is declaring victory—hoping that future courts will see the matter differently.

"There's nothing inherently wrong or unlawful about avoiding IP address blocking," EFF's Hoffman wrote, "and there are valid reasons why someone might choose to do so, including to sidestep anticompetitive behavior by other Internet services. As long as an end user is authorized to access a computer and the way she chooses doesn't cause harm, she should be able to access the computer any way she likes without committing a crime."

Matthew Lasar
Matt writes for Ars Technica about media/technology history, intellectual property, the FCC, or the Internet in general. He teaches United States history and politics at the University of California at Santa Cruz. Emailmatthew.lasar@arstechnica.com//Twitter@matthewlasar